Control: The Scariest Thing about Securing Mobile Devices

Due to the Lack of Control over Mobile Clients, Users Will be Relied on More than Ever.

Huge was the outcry from antivirus vendors after Google's Open Source Program Manager, Chris DiBona, called them charlatans, chiding them and anyone involved to “feel ashamed of themselves", saying "No major cell phone has a 'virus' problem in the traditional sense that Windows and some Mac machines have seen. There have been some little things, but they haven't gotten very far due to the user sand-boxing models and the nature of the underlying kernels."

Kaspersky Lab immediately jumped to the defense, stating “Unlike on iOS and RIM, Android malware continues to grow at a rapid rate ...This exponential growth curve of malware for Android is extremely similar to that which we've seen for Windows malware, and while Android anti-malware products are still not a necessity like they are on PCs, users should strongly consider using them if they're concerned about the information they store on their devices and the security transactions they perform with it."

Leaving aside the fact that Kaspersky Lab sells Mobile Antivirus Protection and the resulting conflict of interest, do they have a point? Or is DiBona on the mark?

There definitely seems to be three firm camps today regarding this question: The camp that believes that the next digital apocalypse will be ushered in by horsemen wielding android gadgets instead of scythes, the camp that believes that smart devices are just another device to integrate into the policy, and lastly the “What’s a smart phone?” camp.

I can’t really say much about the last camp aside from recommending they possibly consider moving from their cave, to somewhere nearer to 2011, but regarding the first two, I have a thought or two.

VentureBeat’s Nicolas Perpoco wrote a piece that is worth considering, because it really describes the crux of the problem; that mobile devices are not just mini-pc’s. There is absolutely no arguing that they have all of the basic components that a personal computer has, but that is truly where the similarities end. The differences are far more important than the shared points, and will scupper most traditional security approaches, which all hinge on one really simple idea.

Control.

More importantly, that YOU have control.

Control of who can access what from where with which devices using software and hardware as designated by you. A mobile device on the other hand:

• Can be used anywhere; anytime; by anyone

• Anything can be installed; by anyone.

• You often cannot patch it, control it remotely, or reliably monitor it.

• Users can choose different models; with different versions and distributions and varying different app store sources.

• With the trend of consumerization, it’s possible the device may not even belong to the company.

Now let that sink in a second. Let it roll around your mind, and hopefully fire the neural pathways that used to contain the security best practices from days gone yore, before the cloud, before mobile dominance. Like 2008. Yes. It is indeed insane.

Under any other circumstances, if anyone came to you asking if they could hook up any other device with a security concern list like that, you would think them mad and usher them to the nearest sanatorium.

Looking at it from that angle, Mobile devices in most circumstances are the antithesis of control. And thus, the antithesis of Security.

Most of today’s mobile security do not mitigate these concerns. They address the risk that individual users face, but often not enough to alleviate the threat to enterprise and government adopters. Considering the fact that most of these devices are privately owned, control will always be severely limited. Whatever high-tech, expensive security infrastructure you have lovingly and painfully built up, you just made as redundant as castle walls after the invention of the siege cannon.

Google’s DiBona does not have to worry about cleaning up after a security breach, and as such his blind faith in the security model of android seems naive and misplaced. It is also the security professionals role to guard and secure against potential future threats, even if currently only hypothetical. Many a noble wasted money on castle walls thinking those inaccurate, self-exploding bronze cylinders would never really take off.

If you do allow mobile devices though, you should take the same approach as for any potentially hostile 3rd party network participant. Here are some measures to consider in terms of these mobile devices:

• Lock them up, restrict their access, sandbox them in. Really. Guest networks are long a staple of the security toolbox, and access control should be applied on a white-list, rather than a black-list basis

• Develop a Mobile Portal - You may consider providing access to specialised mobile services, instead of letting users roam the holy of holies, the inner sanctum of the intranet. Web-based email services can be configured to prevent local storage of messages and files for example

• Limit functionality - Access to Email is definitely an understandable need for a mobile user, but enabling mobile access to billing applications for users who don’t require it is just asking for trouble.

• Create a concise Usage Policy and implement it - Ensure that your users are made aware not to store company files or data on their phones without proper security controls and measures in place.

Aside from banning them outright, due to the utter lack of control over mobile clients, the user will be relied on more than ever. You will have to rely on their good judgement, their security awareness and their ability to follow security guidelines.

Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany.
He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.